DistroWatch Weekly

A weekly opinion column and a summary of events from the distribution world

DistroWatch Weekly

DistroWatch Weekly, Issue 498, 11 March 2013

Welcome to this year's 10th issue of DistroWatch Weekly! The open source community is like a river, always moving, always changing and often shifting in its direction. With that in mind this week we will be talking about open source projects which are embracing change. In the news this week we talk about Ubuntu's plans for replacing the ageing X display software. We will also look in on Debian to see how ambitious developers are bringing new features and hardware support to the community's largest distribution. We will touch on PC-BSD's move to become a rolling release platform and, in this week's feature story, Jesse Smith examines another rolling release project, Sabayon. The Sabayon developers are introducing new features to their project and they maintain a lot of different spins. Read on to learn more about their latest release. Whether you use a cutting edge distribution or a more conservative platform security is always a concern and this week we talk about potential backdoors in Linux distributions and the community's defence against them. As usual we will share with you the releases of the past week along with podcasts, reviews and newsletters from Around the Web. We are also looking forward to the launch of openSUSE 12.3 which will make its debut this Wednesday. Be sure to keep an eye out for the great green distro on a download mirror near you. We here at DistroWatch wish you a pleasant week and happy reading!

Listen to the Podcast edition of this week's DistroWatch Weekly in OGG (23MB) and MP3 (38MB) formats

Feature Story (by Jesse Smith)

First look at Sabayon Linux 11

Sabayon Linux is a distribution which uses Gentoo Linux as its base. The Sabayon project is very diverse, featuring many different desktop spins (KDE, GNOME, MATE and Xfce) along with some minimalist and server spins. Each flavour of Sabayon is available in 32-bit and 64-bit x86 builds. This gives users a variety of editions from which to choose and one of them is bound to fit our needs. The distribution maintains a rolling release, meaning packages are constantly updating to keep users up to date with the latest available versions of software. I decided to try the latest release of Sabayon, version 11, and opted to try the project's KDE edition. The KDE edition can be downloaded as a 2.2 GB ISO image.

The latest version of Sabayon Linux comes with a number of new features. Along with KDE 4.9, GNOME 3.6 and LibreOffice 3.6 the Sabayon team provides three different flavours of the MySQL database technology (including the new MariaDB software) and experimental support for Secure Boot technology. The Sabayon developers are also experimenting with a new graphical package manager called Rigo.

Upon booting from the Sabayon media we are presented with a boot menu with several options. We can boot into the distribution's live mode with a graphical desktop, there is also a live console mode should we only wish to use the command line. There is a media centre mode and an option for performing a check of the media's integrity. There are two installation options, one option allows us to launch the regular graphical installer to set up Sabayon on our hard drive. The other installation option is to install Sabayon as a media centre. I didn't use any of the media centre options during my trial, but I used the live modes and the installer, all of which worked well. Sabayon has another boot option, though it may not be immediately obvious. Inserting the Sabayon DVD into a computer running Windows will cause an auto-run file on the media to launch a virtual machine powered by QEMU. The virtual environment brings up the Sabayon boot menu and allows the user to try Sabayon's live environment or attempt to install the distribution within QEMU window. I suspect this will be useful as a demonstration tool as it removes the need for Windows users to reboot their machine to try the Sabayon distribution.

The Sabayon Linux system installer can be launched either from the distribution's boot menu or from within the live environment. Sabayon uses the Anaconda installer, the same installer which was used by the Fedora project until recently. Anaconda has a fairly straight forward design which I find easy to navigate. The installer walks us through selecting our preferred language and confirming our keyboard map. We are asked to set a hostname for our machine and we are given the option of enabling the operating system's firewall. Next we select our time zone from a map of the world and then we are asked to set a password for our root account.

The following screen asks us to create a regular user account and set a password for this account. The installer will offer to guide us through partitioning the hard disk or we can dive into manually setting up partitions. I found manual partitioning to be fairly painless and the installer supports LVM volumes, most file system types, RAID and encryption. The last screen of the installer asks if we would like to install the GRUB2 boot loader. The installer goes to work copying its files to the hard drive. This took longer than I expected and I got worried when, about a third of the way through, the installer appeared to lock up for several minutes. However, after a time the progress bar started marching across my screen again and Sabayon eventually reported it has installed successfully.

The first time we boot into Sabayon Linux the operating system brings us to a simple, graphical login screen. When we login our web browser opens and displays the project's website. This is convenient if we want to track down more information or get assistance. On the desktop we find an icon which will take us to the distribution's Donations page and another icon which will connect us with the project's on-line live chat channel. There is a third icon for launching the distribution's software manager which we will talk about later. The KDE desktop features a dark blue background. The application menu, task switcher and system tray sit at the bottom of the display. Aside from the web browser opening the first time we login we are not exposed to pop-ups or other annoying distractions. With a little exploring I found the user we create at install time has sudo access, meaning we can run commands as the administrator. Additional user accounts we may create later do not have this admin access by default.

Shortly after logging in an icon in the system tray changed from green to red and moving the mouse over this icon revealed it indicates whether software updates are available. Clicking on this icon we can launch Sabayon's new graphical front end to package management. This new package manager is called Rigo and it replaces the project's previous graphical package manager, Sulfer. I did not enjoy using Rigo. While the interface is apparently designed to be simple and web-like, it has several problems. The first of which is the program's interface does not redraw itself properly. This means new information does not display itself, buttons appear and disappear seemingly at random, navigating is difficult as it's not always easy to tell which buttons we can click on and which ones used to be there, but haven't been erased yet. Eventually I got used to the interface, but I ran into a few scenarios where the interface would lock up while I was manipulating packages. Luckily there is a command line interface for dealing with software packages called "equo" and it works quite well. The equo program allows users to search for software, install new packages, remove software and perform upgrades. The syntax for equo is straight forward and I suspect users of YUM, zypper and APT will find equo familiar. I found equo to be a reliable tool and I encountered no problems while using it.

I ran Sabayon Linux on my laptop (dual-core 2 GHz CPU, 4GB of RAM, Intel video card, Intel wireless card) and in a VirtualBox virtual machine. When running on the laptop I found Sabayon worked well. My screen was set to its maximum resolution, sound worked out of the box and I was able to connect to wireless networks with a few mouse clicks. Performance was a touch slow on the laptop at first, and I found disabling desktop effects and KDE's file indexing improved performance. Sabayon was never what I would call fast, its speed remained below average, but it was certainly usable. When running in the virtual environment all of Sabayon's features worked properly, but the distribution was very slow. Booting or shutting down the system took several minutes and launching applications took several times longer than I would expect from a distribution running KDE. Memory usage was about on par with other KDE distros and I found Sabayon used approximately 240MB of RAM. The edition of Sabayon I was using comes with a lot of material on the installation DVD and the distro requires about 6GB of hard drive space for installation.

Sabayon comes with a good collection of applications and we have a wide range of functionality out of the box. The KDE edition of Sabayon comes with the Chromium web browser, the Konqueror browser, the Konversation IRC client and the Kopete instant messenger client. LibreOffice is included in the application menu as is the Okular document viewer. To help us get on-line Sabayon comes with Network Manager and the KPPP dial-up software. Under the Multimedia section of the menu we find the Clementine audio player, the VLC video player, the XBMC media centre and the k3b disc burning software. Sabayon comes with codecs for playing a wide range of popular audio and video formats as well as Adobe's Flash player.

The application menu also comes with various system utilities such as the KDE Partition Manager, the KUser account manager, the Yakuake drop-down terminal and the KInfoCentre. We have access to an archive manager, the KGpg privacy tool, a text editor and calculator. There are accessibility tools in the default install which will read text, assist users with manipulating the mouse pointer and magnify the screen. There are links in the application menu which direct us to key areas of the project's website and we have access to a collection of small games. Java is installed for us by default, as is the GNU Compiler Collection. In the background we find the Linux kernel, version 3.7. In addition to the software available out of the box most popular open source applications can be found in the distribution's repositories.

On the Sabayon website the project's mission statement reads: "We aim to deliver the best out of the box user experience by providing the latest open source technologies in an elegant format." For the most part I feel the project accomplishes these goals, though there are a few caveats. Sabayon does provide recent versions of popular open source software. We find multimedia codecs, Flash and a lot of functionality with regards to desktop software, compilers and command line tools -- all available in the default installation. The desktop strikes me as being attractive and easy to navigate. We are provided with good documentation, subtle notifications of software updates and the project has a nice, easy to navigate website. I like the project's installer, the evolutionary improvements to Anaconda made by the Sabayon developers perfectly represent what I wish the Fedora team had done with their venerable system installer. I love that there are so many editions from which to choose. In short, we do indeed have some of the latest open source software presented in an elegant manner.

I really just have two complaints with regards to Sabayon Linux 11. The first is with the graphical package manager, Rigo. The command line interface for package management was fine, but the new graphical front-end was a nightmare. Buttons appeared and disappeared, navigation was tricky, I kept seeing parts of notices appear and the interface regularly locked up. I realize the developers are trying something different and there were problems with the old GUI, but the new one was not, in my opinion, ready for end users. My other concern was with the performance of Sabayon. When running on my laptop the distribution was noticeably sluggish. It was still usable, but there was definitely lag, especially when compared next to my experiment a few weeks ago with another KDE distro, Chakra.

When running in a virtual environment performance degraded further and I found Sabayon would take several minutes to boot, applications took up to ten times longer to load than they did when running I was running Chakra or Kubuntu and the interface was slow to respond to input. I was able to improve upon Sabayon's performance by disabling extra services and disabling desktop effects, but the distribution never reached the level of performance I've come to expect from recent Linux distributions running KDE. Perhaps this issue with performance was a matter specific to my hardware. I hope so as Sabayon is otherwise a well assembled distribution. It's attractive, it's cutting edge, it has a nice installer, lots of functionality out of the box and an attractive layout. It is a distribution well worth looking at, especially if you want out of the box features and want something which feels different from what other big-name Linux distributions offer.

The developers at Canonical are working on an alternative display server which they hope will eventually replace the venerable X software. We aren't talking about Wayland, which has looked like a possible X Window replacement, but a brand new project called Mir. The new project looks to address some of the limitations of X Window and the project's mission statement on the Ubuntu Wiki reads, "Users nowadays expect a more consistent and a more integrated user experience than what is possible to offer on top of the X Window system. Even more recent developments like the introduction of compositors to the X stack do not fully solve the situation and both shell and application development do have to deploy workarounds to overcome issues with the X rendering model." At the moment it looks as though Ubuntu users may expect to see an early version of Mir in October 2013. The name Mir, with its implication of a peaceful "connectedness", joins the ranks of other Canonical project's (including Ubuntu, Unity & One) named with a sense of united community in mind.

In other Ubuntu related news Hewlett-Packard (HP) is having another go at selling personal computers with the popular Linux distribution pre-installed. The OMG Ubuntu website features commentary on the new all-in-one offering. "Long story short: you won't have any problem running Unity, multi-tasking, or watching HD films on this, but a gaming rig or video editing workstation it ain't." Though the machine is currently available only in the United Kingdom it is good to see HP take further interest in open source operating systems. Hopefully more hardware companies will move to offer Linux-based solutions for consumers in the future.

* * * * *

The Raspberry Pi project recently turned one year old. The Pi is a low-cost ARM-based computer designed to be educational and fun. Over the past year several Linux distributions have been tailored to work on the device, including Fedora and Arch. However, possibly the most successful of the Pi's operating systems has been the Debian-based Raspbian project. Last week Ars Technica posted a story on how two volunteers used Debian's repositories to build their highly popular operating system for the Raspberry Pi. From the article, "Debian had added floating point support for the ARMv7 processor, but not the ARMv6 processor used in the Pi. Debian 'didn't see a product like the Raspberry Pi coming on the horizon. Even though ARMv6 in Pi has a pretty capable floating point unit, they didn't support it,' Thompson said. Thus, 'all the thousands or tens of thousands of software packages they built wouldn't support the Raspberry Pi.'"

This past week the Debian project released an update to Debian GNU/Linux 6.0, code named "Squeeze". The new release, version 6.0.7, does not indicate a new Stable version of Debian, but rather a collection of security fixes which have been integrated into the installation media. Details on the update are available in the release announcement. The Debian project has also put out a call for volunteers who would like to take part in their Summer of Code program. Some ideas for new projects have already started to flow in, including integrated support for the ZFS file system in Debian's GNU/Linux branch.

* * * * *

A quarterly report on the status of FreeBSD and its related projects is available from the FreeBSD website. The report covers a wide range of topics including the introduction of better support for AMD graphics drivers, improvements to FreeBSD's patch command, better ARM support in the default compiler and much more. The report includes comments about on-going work where volunteers are welcome and there is an invitation for new project ideas for this year's upcoming Summer of Code.

* * * * *

Back in February we reported that the PC-BSD developers were considering a move to a more fluid release cycle which would allow the project to upgrade their software packages more frequently than PC-BSD's parent project, FreeBSD. Kris Moore, the founder of the PC-BSD project, announced last week that test images are now available for people wishing to try a rolling release of PC-BSD. Instructions for upgrading existing PC-BSD 9.1 installations to the new rolling release model are provided in this mailing list post. The PC-BSD project will use the Pkgng package manager to keep users up to date with the project's software repository.

Questions and Answers (by Jesse Smith)

Security and potential malware in Linux distributions

Locking-the-back-door asks: Is there any assurance that distros are secure and don't have any built in hijacks -- a key logger or spam server, etc? I've always tried to pick distros that have many developers or have been around for a number of years. There are a few I'd like to try, but I'm a little nervous and don't have the time to wade through all the source code. Are there versions of Linux out there that are known to have included malware?

DistroWatch answers: People who are very security conscious face a big challenge when it comes to modern operating systems. Relatively few people have the skills required to search through the source code of an application or a kernel. Even if a person has the skills required nobody has the time to go through the millions of lines of code which make up a modern Linux distribution. It is theoretically possible for a malicious person to slip unwanted code into an application, into the kernel, into a compiler or into the computer's hardware. There is a lot of complexity in a modern personal computer and that makes for a lot of hiding places. So if you're looking for a guarantee your operating system (or your hardware) is hijack free, I'm afraid I cannot offer any 100% assurances. However, there are many checks and balances in place which make malware unlikely.

The open source community has a number of characteristics which make it relatively well protected against malware. A high percentage of the open source community is made up of people who have technical skills and a heightened awareness of security issues. Another virtue in our favour is that many people in the open source community are vocal. The result is an environment where people are constantly looking at their technology, constantly examining source code and when something undesirable is found it is announced all across the community. A third factor in our favour is that while the open source community is wide spread (global) it is relatively tight-knit. A lot of developers are in contact with other developers and exchanging notes, reading each other's code and, should one coder do something malicious, the rest of the development community would be unlikely to accept code from that person in the future.

As an example of the community at work, I contribute to a small project which is old enough to be stable and small enough (and I suppose modular enough) that it is often used as a test subject for code analyzers. University students from all around the world have used this project as a test case for their security scanners and code analyzers. Anytime they find a potential vulnerability or a potential problem, they contact us to make sure it's fixed and, if the code weren't fixed, they would have let the world know. The students then run their scanners on larger, more complex projects, such as office suites and compilers. Since Linux distributions are made up of open source software this gives lots of people, like the students, a chance to search for potential security issues.

In the above example there is a friendly exchange taking place. One person gets a free code review, the other gets a test subject for their university project. However, not all code reviews are carried out with the ideal of mutual benefit. Sometimes code audits happen because competitors want to make sure they aren't being compromised. For instance, both Google and Apple work on WebKit, the software which goes into many of the major web browsers. Both companies review the code which goes into WebKit to make sure they are benefiting from the changes which go into the software. As the code is constantly reviewed no one contributor can gain an unfair advantage and, in addition, it is highly unlikely a backdoor could be added to the code.

Another example of the community protecting itself came when someone made a claim that a backdoor had been slipped onto OpenBSD years ago. Even without any evidence being presented and only vague claims being made by the whistle blower developers still dived into the code, looking for potential problems. For months the possibility was discussed and examined. It appears to have been a false alarm, but the ripples of the rumour spread throughout the community and people attempted to verify (or disprove) the claim. Likewise, when a patch to Debian's copy of OpenSSL was found to be vulnerable the news quickly spread through the community, as did patches and workarounds. When Fedora introduced more relaxed security controls with regards to package updates, again the community jumped on the potential problem, raising alarms and filing bug reports. What it boils down to is there are always people in the open source community looking for security issues and, when they are found those problems are made known by way of blogs, security mailing lists and news websites. It's hard to maintain a secret, especially a dangerous one, in open source circles.

Are there distributions which have distributed malware? I suppose it depends on how loosely we define malware and whether we include intentionally insecure distributions. There are projects which ship insecure distributions in order to let people practice compromising and patching operating systems. These aren't malicious distributions, they are teaching tools. According to the Electronic Frontier Foundation and the Free Software Foundation the Ubuntu Dash qualifies as spyware. On the other hand, Ubuntu is quite up front about what the Dash does and they have included a way for the user to turn off the controversial feature. These cases aside I don't believe I've ever heard of any of the major distributions shipping malware on purpose. Chances are, were any main stream distribution to ship intentionally malicious code that project would quickly find itself without any users. For people worried about security large, community distributions are a good way to go.

Josko Plazonic has announced the release of Springdale Linux 6.4, a distribution formerly known as PUIAS Linux and built from source packages for Red Hat Enterprise Linux 6.4: "We just made Springdale Linux 6.4 available. This release follows the 5.9 release in renames to Springdale - so new name, new logos. Of course the big news is over 1,000 package updates with many goodies and new features. For further information please check RHEL 6.4 release notes. One small note on an issue we've seen during internal testing. New versions of NSS libraries have in effect blocked SSL connections to sites and services using SSL certificates with MD5 hash signatures. For example, if your LDAP server is using such a certificate then sssd will stop working." Get the details from the project's release announcement.

Barry Kauler has announced the release of Puppy Linux 5.5 "Slacko" edition, a small and fast distribution built from and compatible with Slackware's binary packages: "Slacko Puppy is built from Slackware 14.0 binary TXZ packages, hence it has binary compatibility with Slackware Linux and access to the Slackware, Salix and Slacky package repositories. Slacko 5.5 has many improvements due to the heavy development of the woof build system and the many bug fixes to the Slacko base packages. Through the dedication of many testers and developers we were able to produce what is a great working dog Puppy that can rejuvenate your hardware and show it's potential. Release notes: improved SFS manager; improved updates manager - to get the latest; new kernels following LTS branches; improved graphics support, with KMS and Mesa...." Read the release announcement and release notes for more details.

Jörg Schirottke has announced the release of KANOTIX 2013, a special edition of the Debian-based distribution created for the CeBIT trade show taking place this week in Hannover, Germany: "As a little surprise there is a new KANOTIX ISO image with some special features not found in normal releases. The main difference is that a newer glibc 2.17 is used (from Debian 'experimental') which has the effect that self-compiled binaries cannot be shared with Debian 'Wheezy' users. If that does not affect you you can enjoy the new features: Linux kernel 3.8.2; NVIDIA 313.18 and fglrx 13.2 Beta 7 available in gfxdetect mode and the auto-detection works after hard disk install in that mode as well; Mesa 9.1 for open-source GFX drivers, best suited for Intel HD 2000+; Amarok 2.7.0; WINE 1.5.25; LibreOffice 4.0.0; GRUB 2.00...." Here is the brief release announcement.

Karanbir Singh has announced the release of CentOS 6.4, the updated build of the enterprise-class Linux distribution compiled from the source code of Red Hat Enterprise Linux 6.4: "We are pleased to announce the immediate availability of CentOS 6.4 install media for i386 and x86_64 architectures. CentOS 6.4 is based on the upstream release EL 6.4 and includes packages from all variants. All upstream repositories have been combined into one, to make it easier for end users to work with. There are many fundamental changes in this release, compared with the past CentOS 6 releases, and we highly recommend that everyone study the release notes as well as the upstream technical notes about the changes and how they might impact your installation. Everyone who has centos-cr repositories enabled and in use would already be running CentOS 6.4 as of two weeks ago." Read the release announcement and release notes for more details.

Barry Kauler has announced the release of Puppy Linux 5.5 "Precise" edition, a small distribution built from and compatible with Ubuntu 12.04.2 binary packages: "Well, time marches on and Ubuntu have released their second build of 'Precise Pangolin', 12.04.2. Precise Puppy 5.5 is built from 12.04.2 DEBs, but of course it is extremely important to understand with Puppy Linux that our use of the binary packages of another distro is only a convenience for us, to obtain binary compatibility, hence compatibility with that distro's package repositories -- in all other respects, from the lowest levels of the infrastructure upward, Puppy is unique. There have been many bug fixes and improvements at the Woof level since Precise 5.4.3 was released, plus many package fixes and upgrades. Enough to warrant the number jump to 5.5." See the release announcement and release notes for additional details.

Eric Turgeon has announced the release of GhostBSD 3.0, a FreeBSD-based operating system for the desktop with a choice of GNOME 2, LXDE and Openbox user interfaces: "The GhostBSD team is pleased to announce that version 3.0 is now available. This release includes many new features and enhancements, such as improved system installer, Openbox window manager and much more. Form GhostBSD: improvements of the auto-configuration wireless networking script; auto-configuration of X.Org; NVIDIA drivers ready; 3D acceleration is supported on some Intel graphics cards; numerous bug fixes to GhostBSD-related utilities. From FreeBSD 9.1: new Intel GPU driver with GEM/KMS support; netmap(4) fast userspace packet I/O framework ZFS improvements from the Illumos project...." Here is the complete release announcement.

Anke Boersma has announced the release of Chakra GNU/Linux 2013.03, a desktop Linux distribution for 64-bit computer systems featuring the very latest KDE desktop: "With this second release of 'Benz' (a code name that will follow the KDE SC 4.10 series), the Chakra project team is very happy to announce a new feature that has been on the wishlist for quite some time. Tribe (the installer) has a 'netinstall' feature implemented, giving the user the option for a regular offline install, or install fully updated packages, starting with a minimal functional KDE desktop, and adding groups of packages to that minimal install as desired. KDE SC is updated to 4.10.1. The over 100 recorded bug fixes since 4.10.0 include improvements to the Kontact personal information management suite, and the KWin window manager." See the full release announcement for more details and screenshots.

Jay Flood has announced the release of Porteus 2.0 "Kiosk" edition, a minimalist Linux distribution for web-only terminals with Firefox as the sole application: "The Porteus community is proud to announce the Porteus 2.0 Kiosk edition. Based on Slackware Linux 14.0 and with Linux kernel 3.7.8 and Firefox 19.0.2, this is a 32-bit system which is entirely locked down to prevent tampering with any of the components (including the browser), making this a perfect fit for kiosks and other publicly available web terminals. The ISO image is 37 MB and it contains only the libraries and utilities which are required to launch Firefox. Additional software may bring along security risks and affect stability in a restricted environment which is why we have removed everything else from this edition." Read the rest of the release announcement for a brief list of features.

Window Maker Live. Window Maker Live is a Debian-based Linux distribution that applies the Window Maker window manager as the default graphical user interface and integrates well-known open-source components in an attractive and usable user interface. The distribution includes integrated GNOME components, as well as the Firefox web browser and the Thunderbird mail client both of which are enhanced with essential productivity add-ons.

HOT! Beyond Linux From Scratch is a book that provides a broad range of instructions for installing and configuring various software packages on top of a base Linux system.Download FREE 1,200-page book